search

nextcloud / docker

⛴ Docker image of Nextcloud
https://hub.docker.com/_/nextcloud/
GNU Affero General Public License v3.0
6.09k stars 1.83k forks source link

Kubernetes deploy behind Traefik and Cloudflare #2316

Closed urbaman closed 1 month ago

urbaman commented 1 month ago

Hi,

I'm trying to make this thing work (docker image, latest) behind traefik and cloudflare (browser -> cloudlfare -> traefik -> nextcloud)

If I so set APACHE_DISABLE_REWRITE_IP=1 I only get Traefik container IP in the logs (and it is among the trusted proxies IPs, see config and logs), if I do not set it, I only get Cloudflare's IP.

Also tried both

  array (
    0 => 'HTTP_CF_CONNECTING_IP',
  ),

and

  array (
    0 => 'X_FORWARDED_FOR',
    0 => 'HTTP_CF_CONNECTING_IP',
  ),

No way to get the client's IP.

Config:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'redis-master.redis.svc.cluster.local',
    'password' => 'password',
    'port' => 6379,
  ),
  'overwritehost' => 'nextcloud.domain.com',
  'overwriteprotocol' => 'https',
  'overwrite.cli.url' => 'https://nextcloud.domain.com',
  'trusted_proxies' =>
  array (
    0 => '10.0.100.0/24',
    1 => '173.245.48.0/20',
    2 => '103.21.244.0/22',
    3 => '103.22.200.0/22',
    4 => '103.31.4.0/22',
    5 => '141.101.64.0/18',
    6 => '108.162.192.0/18',
    7 => '190.93.240.0/20',
    8 => '188.114.96.0/20',
    9 => '197.234.240.0/22',
    10 => '198.41.128.0/17',
    11 => '162.158.0.0/15',
    12 => '104.16.0.0/13',
    13 => '104.24.0.0/14',
    14 => '172.64.0.0/13',
    15 => '131.0.72.0/22',
    16 => '10.0.0.0/8',
    17 => '172.16.0.0/12',
    18 => '192.168.0.0/16',
  ),
  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_CF_CONNECTING_IP',
  ),
  'upgrade.disable-web' => true,
  'passwordsalt' => 'KL/WPitLjve++6TZydRdizIM8Jj+kx',
  'secret' => '2+H1cMQ9UDERsB/eqTUL2sd1671Hg5MzXnbOy6Ql8FjemnkT',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'domain.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '30.0.0.14',
  'dbname' => 'nextcloud',
  'dbhost' => 'mariadb.mariadb.svc.cluster.local',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'password',
  'installed' => true,
  'instanceid' => 'ocl33p15dt2n',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'nextcloud',
  'mail_domain' => 'domain.com',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.domain.com',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'nextcloud@domain.com',
  'mail_smtppassword' => 'password',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpstreamoptions' =>
  array (
    'ssl' =>
    array (
      'allow_self_signed' => true,
      'verify_peer' => false,
      'verify_peer_name' => false,
    ),
  ),
  'maintenance_window_start' => 1,
  'maintenance' => false,
  'logtimezone' => 'Europe/Rome',
  'default_phone_region' => 'IT',
);

Logs:

[...]
10.1.238.156 - - [18/Oct/2024:17:24:22 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:25:22 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:25:22 +0200] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=activity HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:26:22 +0200] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=activity HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:26:22 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:26:31 +0200] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 864 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:27:26 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:27:26 +0200] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=activity HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:28:26 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:28:26 +0200] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=activity HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:29:22 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 705 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
10.1.238.156 - - [18/Oct/2024:17:29:22 +0200] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=activity HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
joshtrichards commented 1 month ago

This is a bug reporting channel for the image. You can find help configuring/debugging your deployment on the forums: https://help.nextcloud.com/

joshtrichards commented 1 month ago

If I so set APACHE_DISABLE_REWRITE_IP=1 I only get Traefik container IP in the logs (and it is among the trusted proxies IPs, see config and logs), if I do not set it, I only get Cloudflare's IP.

P.S. Check your nextcloud.log and/or Administration settings->Overview for confirm what the remote IP address of the client connections are from Nextcloud's perspective. The log you included is the Apache log, which doesn't know anything about trusted_proxies.